SECURITY ON STEROIDS —

Security scanner probes 1 million IPs per hour for scary vulns

The service can scale linearly, so two boxes are twice as fast.

Immunity Inc. has released a security tool that can scan an astounding 1 million IP addresses per hour, discovering if they're susceptible to hacks that allow attackers to hijack servers or retrieve sensitive data.

The entry-level package of Swarm, as the service is called, is a 4U server that includes 10 virtual machines. This gives it the ability to test a huge number of IP addresses against a battery of sophisticated exploits. The software inside scales linearly, meaning two of the boxes can scan roughly twice as fast, and so on, said Dave Aitel, head of Miami-based Immunity. Prices begin in the "low six figures."

Immunity is aiming Swarm at security professionals who work for large organizations with large online assets. The product allows them to have almost real-time situational awareness. If they learn of a new vulnerability in the latest version of the PHP programming language, for instance, they can almost instantaneously find out if any systems anywhere in their global network are at risk.

"Making it trivial for them to do a quick scan across that space changes their whole operational behavior," Aitel told Ars. "It's no longer something where you have to go get a cup of coffee and then come back. It changes the way you behave when it's easy."

Swarm includes a subscription to more than 800 exploits in Immunity's catalog, which is known as the Canvas framework. A video demonstration of Swarm is here.

Yeah- a little more analysis please. What makes this different from other scanners out there? Why should we care about this one.

Don't get me wrong, I am interested, but maybe some comparisons or even just examples of other products/services that are competitors. But this is a pretty small group of targeted users. What can a small business use to accomplish something similar? Do they have any plans to have a SMB product (say, just a single virtual machine that can monitor a local LAN, or a list of 300 IPs)? (hey, a full on roundup, aimed at the different business classes would be awesome).

Yeah- a little more analysis please. What makes this different from other scanners out there? Why should we care about this one.

...but maybe some comparisons or even just examples of other products/services that are competitors.

Exactly. Currently Nessus scans any machine I don't know about for 49422 plugins. 800 exploits from Immunity seems a little thin. If Nessus were only scanning for 800 exploits, I would be done with my class B in no time flat too.

I would like to point out that Ars writers make different kinds of pieces. For different categories of news. This piece is under "On the Radar" and is meant just to be a cursory look at something and not a full article. I am sure that Dan probably still has a good quota of large articles to write on a regular basis. You will see other topics with more in depth coverage instead of this one.

Six figures for a 4 U server with software that scans vulnerabilities?

The last one is nothing new, software like this exists already for year and a 4 U server, even with the best of the best in hardware would never reach that price.

I think this is an overpriced software in standard hardware. Most security companies just overprice their software big time. All they do is take a completely normal server, put their brand on them, load it with their software which is mainly composed of open source components or other technology available for free, and then sell it as a security appliance for a big price to some corporate IT morons.

In the end, its usually mediocre hardware, nothing you can´t build or buy yourself, so you are just paying for the software, which unless its unique technology they invented you can get from other vendors.

I admire companies releasing products. But I what I find a coincide is that they all decide to overcharge in the security IT field, while the world is moving to a service model where you can get some of this products for free bundled in other products.

I usually invest in this software and hardware, but not if I have to feel im a idiot for over paying which is what most of the companies that buy this do. You can count with 1 hand the very unique security companies in the IT field, the rest just take an open source product and sell the same free things with 2 or 3 more features for thousands and thousands. Sure, they need to put food on their tables, but I don´t think their customer like to be fooled.

That distinction only occurs for users of the full site. iPhone users, for example, only see a list of stories with no obvious differentiation.

Maybe all "On the Radar" stories should come with a "This is just a quick FYI" header?

I view the site in a single layout as well on desktop because I don't like the split panes. Maybe they should mark categories in the article row as well even on full page to set the right expectations.

Immunity's product is different from Nessus, Qualys, and other vulnerability scanners (and similar to products like Metasploit and Core Impact) in that it actually runs an exploit to see if you're vulnerable. Other vulnerability scanners will perform limited probing, and thus are more prone to false positives.

Besides that, I think the 'big deal' here is how well this scales. 1 million IPs in an hour is a *lot* compared to any other off the shelf product currently available.

I'm getting a little tired of these articles which are little more than reprints of information pulled from elsewhere on the web. Dan, what happened to analysis and thoughtful insight? You've shown mastery of the copy/paste.

This isn't as useful as I first thought. The level of tape we have to go through for a pen test compared to just a regular vulnerability scan is ridiculous. And if you're trying to do a pen test, it wouldn't be best to flood millions of boxes in an hour, that's pretty damn noisy.

I didn't see anything in the video or press release on reporting, so that could be a little disappointing.

While not useful for pen testing, nCircle, Nessus and Retina have great cursory vulnerability scanning capabilities and allow easy report generation, which is vital if you have 500,000+ IPs you need to scan and perform a risk assessment.

Admittedly, there is a level of red tape you have to go through for penetration tests. We work hard on getting our exploits as reliable as possible to help ameliorate any concerns there, but nothing is perfect when you're talking buffer overflows or similar techniques.

Cool, I'll check it out. We use Core a little bit in combination with backtrack, but typically, our scope is defined down to no more than 1000 systems due to the way the systems break down into their parent orgs. And it's such a pain for approving an actual pen test that we only get a few a year on our customers.

It's just unfortunate that when we do vulnerability scans, we get to test 10,000's of IPs at once, but not so for our pen tests.